Policies¶
Policies define the security and compliance rules that govern agent behavior. AegisAI evaluates policies through an OPA-powered Rego engine with built-in templates for GDPR, HIPAA, and FZ-152.
Policy List¶
The Policies page shows all tenant policies with:
| Column | Description |
|---|---|
| Name | Policy display name |
| Severity | low, medium, high, critical |
| Status | Active or inactive |
| Default | Whether this is the tenant default policy |
| Description | Human-readable summary |
Use the Create Policy button to add a new policy from a template or scratch.
Policy Templates¶
Built-in Rego templates are available via GET /api/v1/policies/templates:
| Template ID | Name | Framework | Severity |
|---|---|---|---|
gdpr |
GDPR Compliance | EU General Data Protection Regulation | Critical |
hipaa |
HIPAA Compliance | US Health Insurance Portability and Accountability Act | Critical |
fz152 |
FZ-152 Personal Data | Russian Federal Law on Personal Data | Critical |
hitl |
Human-in-the-Loop | Requires human approval for critical ops | High |
custom |
Custom Policy Template | Customizable allow/deny rules | Medium |
GDPR Template¶
Enforces EU personal data protection:
- Blocks PII access without explicit consent
- Requires lawful basis for data processing
- Denies cross-border transfers without adequate safeguards
HIPAA Template¶
Protects Protected Health Information (PHI):
- Blocks PHI export or external transmission
- Requires authorization for PHI access
- Enforces minimum necessary access principle
FZ-152 Template¶
Enforces Russian personal data rules:
- Requires data localization within approved jurisdictions
- Controls cross-border data transfer
- Mandates consent for personal data processing
Compliance disclaimer
Built-in templates provide a starting point. Consult legal counsel to ensure policies meet your organization's regulatory obligations.
Creating a Policy¶
- Click Create Policy
- Select a template (or start blank)
- Configure:
- Name — e.g., "GDPR Compliance — Production"
- Description — purpose and scope
- Severity — impact level if violated
- Rules — JSON rule definitions (from template or custom)
- Active — enable immediately
- Default — apply as tenant default
- Click Save
Policy Check¶
Test whether an action is allowed before executing it:
curl -X POST http://localhost:8000/api/v1/policies/check \
-H "X-API-Key: <your-api-key>" \
-H "Content-Type: application/json" \
-d '{
"agent_id": "<uuid>",
"action": "read_data",
"resource": "customer_pii",
"context": {
"consent": true,
"lawful_basis": "consent",
"purpose": "customer_support"
}
}'
Response fields:
| Field | Type | Description |
|---|---|---|
allowed |
boolean | Whether the action is permitted |
reason |
string | Human-readable decision reason |
severity |
string | high, critical, or null |
required_approval |
boolean | Whether HITL approval is needed |
risk_score |
float | 0.0–1.0 composite risk score |
risk |
object | Risk level breakdown |
anomaly |
object | Anomaly detection result |
Denied actions
When allowed is false, a policy.violated WebSocket event is published. If an anomaly is detected, it is automatically reported.
Editing and Deleting¶
| Action | Endpoint | Permission |
|---|---|---|
| List | GET /api/v1/policies |
policies:read |
| Get | GET /api/v1/policies/{id} |
policies:read |
| Create | POST /api/v1/policies |
policies:create |
| Update | PUT /api/v1/policies/{id} |
policies:update |
| Delete | DELETE /api/v1/policies/{id} |
policies:delete |
OPA Integration¶
At startup, AegisAI loads all .rego files from policies/templates/ into OPA. The main.rego module aggregates decisions from all sub-modules.
If OPA is unavailable, the platform falls back to an in-process Python policy engine with equivalent GDPR, HIPAA, and FZ-152 logic.
Check OPA health:
Related Documentation¶
- HITL — approval workflow for blocked actions
- Anomalies — behavioral anomaly detection
- API Reference — full policy endpoints